block all
non_tor = "{ 192.168.1.0/24 192.168.0.0/24 }"
match all scrub (no-df random-id reassemble tcp)
antispoof for egress inet
block return log on egress all
pass in quick on lo1 inet proto tcp all flags S/SA modulate state
divert-to 127.0.0.1 port 9040
pass in quick on lo1 inet proto udp to port domain divert-to 127.0.0.1
port domain
pass quick on { lo0 lo1 }
block return in on ! lo0 proto tcp to port 6000:6010
pass out quick inet proto tcp user _tor flags S/SA modulate state
pass out quick inet proto udp to port domain route-to lo1
pass out quick inet to $non_tor
pass out inet proto tcp all route-to lo1